Reproducibility Issues with Bitkit Wallet v1.1.2 #2555
Description
Hello team bitkit 👋,
Danny here from @WalletScrutiny
📱 Reproducibility Issues with Bitkit Wallet v1.1.2
Overview
We attempted to verify the reproducibility of Bitkit wallet v1.1.2 and found that the build is not reproducible. This issue outlines our findings.
Build Environment
- Repository: https://github.com/synonymdev/bitkit
- Commit:
62a4429db3c79987c86058eaf60a90f8e741fcb1 - Build Method: Docker container using scripts/test/android/to.bitkit.dockerfile
- Build Server: Debian Bookworm
Issues Identified
- Missing Environment Variables
The build initially failed due to undocumented environment variables required in the.envfile:
BACKEND_HOST=https://api.bitkit.to/ DEFAULT_BITCOIN_NETWORK=bitcoin
CHATWOOT_API=https://app.chatwoot.com/api/v1 E2E=false
-
Resource File Differences
Significant differences in resource files between the built APK and the Play Store APK. -
Code Differences
Differences inclasses.dex,index.android.bundle, and other compiled artifacts. -
Unsigned Git Tags and Commits
No valid signatures found on annotated tag or commit.
Why This Matters
Reproducible builds are essential for security and transparency. They allow users and third parties to verify that the published app matches the source code, ensuring no unexpected code has been introduced.
We'd be happy to collaborate on improving the reproducibility of Bitkit. Please let us know if you need any clarification or additional information about our findings.